Users Paused After Applying Microsoft(MS) Exchange 2003 Message Store Hot-fix

Article ID: 17540
Date: 5 December 2005
Updated: 14March 2007

Title: Users Paused After Applying Microsoft(MS) Exchange 2003 Message Store Hot-fix

*** Please note the troubleshooting section toward the bottom of this article for assistance on protected accounts and groups.

*** For information on how to use the applysendaspermission tool for setting up the "Send As" permission for the Good administrative account, please see KB Article 17958.

Symptom: Customer applied a store hot-fix or service pack (version 6.5.7233.54 or later) to their Exchange server and all Good users on that server paused.

Store hotfix 6.5.7233.54 corrects a "security hole" that allows a delegate user to send e-mail messages from the other user’s mailbox as the mailbox owner even though the delegate does not have “Send As” rights. The GoodLink Server will continuously pause all users when attempting to send inbound messages from the mobile device on MAPI_E_NO_ACCESS -2147024891 until this new “Send As” right is set for the GoodAdmin account.

Failed to submit mail message for user johndoe. (HRESULT:-2147024891) Pausing user johndoe. (Security error - Cannot access the users mailbox.)

If the store hot-fix is removed, message flow resumes on GoodLink. Please see KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;895949

Cause: Microsoft discovered that a small part of the code in a series of their store.exe hot-fixes from ver. .51-.54 breaks our Good environment. The hot-fix affects the schema of the "Send As" permission set in Exchange System Manager (ESM) at the Org level. The hot-fix, which addresses security holes, changes the "Send As" permissions requirement to be set from Active Directory and not from ESM Security tab.

Remedy: Give the GoodAdmin Service Account "Send As" permissions in Active Directory Users and Computers (ADUC):

The following steps apply the Send As permission to the GoodAdmin account for a domain. This permission must be applied to the GoodAdmin account for each domain containing GoodLink users. For example, in a forest with two child domains, A and B, this permission needs to be set for the GoodAdmin account for both domain A and domain B. If there are restrictions that do not allow the permissions to propagate from a domain to each organizational unit (this is common in hosted environments) then permissions need to be applied for each OU as well. Note that if you set this permission at the forest root domain level, it will not propagate to the child domains. You must repeat the following steps to assign the permission to the GoodAdmin account for each domain and/or OU.

Perform the following steps to give the GoodAdmin account "Send As" permissions in Active Directory Users and Computers (ADUC):

1) Launch ADUC. (Start > Administrative Tools > Active Directory Users and Computers)

2) Enable the advanced features view so that you will be able to see the security tab. (Select menu - View > Advanced Features)

3) Highlight your domain, right click on it and click on "properties".

4) Click the "Security" tab and then click "Add".

5) Enter the name of your GoodAdmin Service Account and click OK.

6) Now highlight your GoodAdmin Service Account and press the "Advanced" button.

7) In the Advanced Security Settings window click "Add"

8) Enter the name of your GoodAdmin Service Account and click OK.

9) Now a new "permissions entry" window will pop up. You need to select "User Objects" in the "Apply onto" drop down box. (It’s down toward the bottom of the list).

10) Click the allow check box for the "Send As" right and select OK. Note: make sure that deny is not checked for this right.

11) Click OK to close the Advanced Security Settings window. The new entry for the GoodAdmin Service Account will show up in the permission entry list.

12) Click OK to close the properties window. The GoodAdmin Service Account should show Special Permissions set to allow.

The "Send As" permission has now been set. Please note that it may take up to 90 minutes for the Exchange Information Store to update its permissions cache and for the GoodLink server to un-pause and reconnect to the user's mailbox. Exchange replication alone can take approximate 70 minutes; therefore, to un-pause users immediately you may restart the GoodLink Server service after 70 minutes.

Troubleshooting - Please utilize the following articles:

If some or all users remain paused after the allotted replication time please review:
17773: Users are still paused after applying the GoodAdmin service account "Send As" right for the Microsoft(MS) Exchange 2003 Message Store Hot-fix

Microsoft has a script that will create a report of users who do not have the "Send As" right effectively applied to their mailbox.
17772: How to run Microsoft's reporting script to see which users do not have the "Send As" right applied for the GoodAdmin Service Account

Good's Test Send utility will create a MAPI login for the "user profile" specified, and attempt to send email to a specified address
17771: How to run Good's Test Send utility to verify that a specified user has the "Send As" right applied for the GoodAdmin Service Account

Additional Information: This Exchange hot-fix will be included in Exchange 2003 SP3 as well as included within Microsoft Windows automatic update. Good recommends setting the "Send As" permission as soon as possible to avoid unnecessary user pausing.

Known MS patches that cause this "Send As" issue:

KB 907434 - http://support.microsoft.com/kb/907434 - June 19, 2006 Revision 2.1
KB 912442 - http://support.microsoft.com/kb/912442 - June 13, 2006 Revision 1.0
KB 916803 - http://support.microsoft.com/kb/916803 - May 18, 2006 Revision 3.1

keyword(s): hotfix, msft, mskb, ms, patch, exch, paused, pausing, pause.